In recent years, there has been an increase in the number of services that use personal data, but are these services developing in ways that allow us as individual consumers to control our own personal data? Fujitsu Research Institute (FRI) aims to establish a business model that uses personal data with a focus on the individual consumer.
An age in which data determines the course of our lives
Do you know where your personal data is stored? Not just the information you input yourself, but data picked up by sensors in your environment too?
You might be aware that giant digital platform companies such as Google, Apple, Facebook, and Amazon (often referred to collectively as ‘GAFA’), as well as Yahoo! and Rakuten, keep your personal data. But in reality, your data exists in many other locations, including hospitals and banks. Many of us don’t know where our personal data is stored, and don’t even make an effort to find out.
In our daily lives, various forms of data are generated, including personal data. This data is then stored and managed somewhere. Some companies may use this data for one-to-one marketing and to provide services that match personal interests and preferences. However, as we move forward into the future, we are approaching the age of the data-driven society – in which the real world and data are linked in sophisticated ways.
In this type of society, our data will determine the course of our lives, even if we’re unaware of it. It’s quite possible that without directions from data, we become almost paralyzed.
When looking for a place to eat, for example, you might depend on restaurant recommendations from a search engine. The same concept applies when shopping online. These seem like obvious examples because we are already getting used to existing in a data-driven society.
However, while on this trajectory, are we thinking about our place and role as individuals in this society? As our lives and our data become linked in increasingly sophisticated ways, the quality and speed of our decision-making can increase – arguably improving our quality of life. But as individuals, we must ensure that we are capable of using our data independently in smart ways too.
In a data-driven society, with its sophisticated links between data and real-world activity, there are understandable concerns about who holds what data and how that will begin to directly impact our daily lives. Data holders could exercise undue influence over people’s lives.
If a system in which medical care data determines the way that medical treatment is provided becomes the norm, you may not be able to receive medical treatment without medical care data. If the data containing your driving history determines which cars you can drive, you may not be able to buy a car if you do not have a driving history. If this type of society becomes a reality, you will only be able to go to the hospital that you usually go to, or to buy a car from the manufacturer that you usually buy from.
To prevent such a turn of events, we must have the right as individuals to control our own personal data.
Legislation is enshrining the protection of personal data usage
Countries are responding cautiously as our world undergoes a major transformation.
Thus far, legislation has focused on ensuring the safety of personal information. Now, the focus is shifting toward expanding the opportunities for individuals to use their own personal data by ensuring practical control of their own personal information. In other words, policies are shifting toward use of data centered on the individual.
The EU entered into force the General Data Protection Regulation – or GDPR – in 2016, and the law has been in effect since May 2018. The regulation establishes unified rules related to protecting personal data within the EU, and it recognizes the right of individuals to control their own personal data.
In France, the Digital Republic Law was enacted in October 2016, which includes the right of recovery and portability of personal data – supplementing GDPR from the perspective of consumer protection.
Meanwhile, the US has the Smart Disclosure and MyData Initiatives. These aim to empower individuals to have more control over the personal data and how it can be used.
Two major types of data: personal and non-personal
GAFA and other major digital platform companies have acted nimbly in response to the introduction of GDPR. However, it seems that Japanese companies have been slow to adapt to the new regulation.
Instead of waiting for the government to create new regulations, Japanese companies should begin taking action at the dawn of this new era.
Japanese industry is beginning to change. Until now, the relevant players in each field conducted various transactions within a framework of comparatively stable business practices.
However, as internet companies have become more involved, they have begun to connect the different players in new ways. For example, there are now services that allow you to use a smartphone to chat with a doctor to receive a medical examination, and then have medicine delivered to your home as soon as the following day. In this age, traditional organizations and internet businesses coexist side-by-side.
In our daily lives, there are very few instances in which we do not use information, whether electronically or otherwise. Such information is then distributed to various places. Moreover, especially when data is managed electronically, it gets distributed in ways that are invisible to us.
Distributed data can be divided into two major types: personal data and non-personal data (which can also be called industrial data). Examples of personal data include data tied to individuals, such as bank deposits and withdrawals, as well as medical information at hospitals.
GDPR divides personal data into three categories, which can be illustrated via the example of medical information: raw data (data entered in medical questionnaires), observation data (examination data from CT scans and MRIs), and inferred data (data such as doctors’ opinions). Information on the operation of machinery and medical devices in hospitals, meanwhile, is considered to be non-personal data.
Distributing each of these data sets can lead to regional revitalization, reduce social security costs, and improve international competitiveness. By distributing information on hospital equipment malfunctions, for instance, it’s possible to introduce greater levels of technological innovation and productivity - which in turn feeds positive global competition.
Facilitating the distribution of real data in the industrial world
To facilitate the distribution of industrial data, some rules and standards must be created, which themselves require consensus from those gathering, holding, or distributing the data.
There has already been some movement toward standardizing certain types of data. Such efforts have been made in each industry with the goal of eliminating disorder and over-complexity as well as to achieve industrial optimization.
In the future, this manner of standardization will expand to the field of cross-industrial social infrastructure systems.
However, to make the concept of connected industries a reality, there must be a way of standardizing the actual data being distributed in each industry, including at major and smaller companies, as well as AI venture businesses. Facilitating cross-sectional data distribution between industries won’t happen without this. And nor will the achievement of a data-driven society.
In fact, a truly data-driven society will need to incorporate new methods of standardization across not just business, but different societies and countries too. This is something that Japan’s Ministry of Economy, Trade, and Industry is already discussing, including plans to encourage the sharing of industrial data.
Information banks that control personal data
Personal data has been called the new oil of the 21st century. As companies develop services, they analyze customers’ personal data to formulate their strategies. This is especially important in the case of data-based businesses. Because of this, companies have been hoarding their customers’ personal data in pursuit of profits for themselves.
However, the giant digital platform companies that have recently emerged have far more customers than those operating in traditional industries. These companies’ user bases are completely different in scale. If services are developed that cater to the very specific needs of consumers in ways that are unique to Japan, and that improve consumers’ lives while invigorating entire regions, it may be possible to eliminate this difference in scale.
On the other hand, when people hear news about various information leaks, it fills them anxiety. Not knowing where our personal data is stored generates unnecessary levels of distrust in companies. For this reason, it’s more important than ever to give individuals the right to control their own personal data. No one would object to this.
However, information pertaining to individuals is being generated more frequently, and with the improvement in sensing technologies and the emergence of large volumes of data, it has become too difficult for individuals to keep track of all of their own data.
One solution is the concept of’ information banks’, which refers to a system that controls individuals’ personal data. These information banks store and manage individuals’ data in ways that reflect the individuals’ intentions – similarly to how money is kept in banks. Individuals can also entrust information banks with data transfers to third parties.
Similar solutions already exist, such as Digi.me, VeriME, TurboTax, and CASS – which each respectively allow consumers to choose where their data is stored, enable ID and password sharing between collaborating companies, support US taxpayers with their returns, or make bank accounts portable. The picture that builds up is that Japan is being left behind in this field.
Data portability is a necessary component for controlling personal data
Giving individuals the right to control their personal data is not a simple endeavor. It depends on the concept of data portability. GDPR refers to data portability. It allows for data subjects to receive the personal data that they have provided to a controller, in a machine-readable format, and to transmit those data to another data controller. Returning this right to control personal data to the individual is paramount to the success of any data-driven society. If you deposit money in a bank, you have the right to take out as much money as you want, whenever you want, so long as it is not a term deposit account. Shouldn’t information be handled the same way? You should be able to take out as much information as you want, whenever you want, and transfer that information to a different information bank if you so wish. When this is realized, we will have achieved individual-based information distribution in the true sense.
Information banks that guarantee data portability must have the following functions:
- Safe and secure data storage and management
- Formation and visualization (including traceability) of data usage history
- Disclosure control
- Transfer to (and from) other information banks
These are all actions our societies currently fail consumers on. This is why information banks are necessary.
Information banks are needed to protect the individual rights of consumers
What must be remembered is that the function of information banks is to support data distribution under the direction of individual consumers, and information banks must be a social infrastructure system that protects individual consumers’ rights. This system must be able to be put into practice, not merely developed in theory.
Information banks should be considered differently to those institutions that currently fall under the definition of personal data services/stores (PDS) – especially those which function merely to enrich third parties, as opposed to the consumers who entrust their data for storage.
Furthermore, instead of empowering giant digital platform companies and other companies by limiting the scope of the debate to privacy protection, information banks must serve to actually better people’s lives. This is where the open ecosystem comes in, and this is the type of social infrastructure system that we are striving to build in the form of information banks: a system designed to support data distribution under the direction of the individual consumers themselves.
Proposal for a social infrastructure system in the form of information banks
Fujitsu Research Institute aims to establish a business that uses data with a focus on the individual consumer. To do so, we need not only systematic and technological solutions but we must first explore business models for monetization. Initial costs may be covered by government subsidies, but if a business model is built that is not sustainable in the long term, consumers shouldn’t be expected to trust that business with distributing their valuable personal data.
Accordingly, any proposition for a social infrastructure system in the form of information banks, and that offers a functioning data portability service, should be backed up by a sustainable business model. Only by doing this will it be possible to ensure lasting change, and the best chance of developing and delivering on the promise of a data-driven society.
Principal Consultant, Cross-Industry Group, Fujitsu Research Institute
Kyosuke Yukawa joined a consulting company in 2003. Then, he joined Fujitsu Research Institute in July 2006. His career history includes research and consulting in the fields of safety and security concerning disaster damage prevention and healthcare both in Japan and overseas. In recent years, he has engaged in consulting work mainly regarding collaborative efforts between medical and nursing care as well as Community-based Integrated Care System (region-based comprehensive care systems).
* This article is a partially edited version of an article previously published in Chisounomori (Vol. 1, 2019, pp. 23-7)
* The position and division of the author were current as of the time of publication in Chisounomori